CFO’s Being Targeted in MuddyWater’s Multi-Stage Phishing Campaign

Published Date: August 22, 2025
Category: ShadowOpsIntel
Share:

APT MuddyWater is running a spear-phishing campaign aimed at CFOs and finance executives worldwide. The attack chain involves Firebase-hosted phishing sites with CAPTCHA challenges, malicious VBS scripts, and staged payloads. Attackers abuse legitimate tools such as NetBird and OpenSSH to gain persistence and remote access.

Severity Level: High

Threat Details

    1. Initial Access & Infection Vectors
      • Spear-phishing emails impersonating Rothschild & Co recruiters.
      • Victims are directed to Firebase-hosted phishing pages using custom CAPTCHA challenges.
      • Phishing kits feature AES-encrypted redirect logic to evade detection.
    2. Payload Delivery:
      • Victims are prompted to download a ZIP file (e.g., F-144822.zip) containing a malicious VBS script (F-144822.vbs).
      • The VBS script downloads secondary payloads from attacker infrastructure (198.46.178[.]135).
      • Payload execution is hidden and staged to reduce detection likelihood.
    3. Persistence Mechanisms:
      • Installation of NetBird and OpenSSH services to establish encrypted remote tunnels.
      • Creation of hidden local admin accounts (user / Bs@202122).
      • RDP enabled and firewall rules adjusted to allow external connections.
      • Scheduled tasks created to ensure NetBird restarts on every boot.
      • Deletion of NetBird shortcuts to hide traces from victims.
    4. Infrastructure Evolution:
      • Shift observed from 192.3.95.152 to 198.46.178.135 as command-and-control infrastructure.
      • Multiple Firebase and web[.]app domains observed (googl-6c11f[.]firebaseapp[.]com, cloud-233f9[.]firebaseapp[.]com, my-sharepoint-inc[.]com).
      • Evidence of shared phishing kits across multiple domains, featuring French math-based CAPTCHA challenges.
    5. Attribution & Overlaps:
      • Overlaps in TTPs and infrastructure strongly link activity to APT MuddyWater.
      • Reuse of the same NetBird setup key, identical service names, and credentialed admin accounts across campaigns.
      • Use of AteraAgent.exe in related campaigns, consistent with MuddyWater’s history of abusing legitimate tools.
    6. Immediate Impact
      • CFOs and finance executives are at direct risk of credential theft, persistent remote compromise, and potential financial fraud.
      • Global campaign scope with confirmed targeting across Europe, North America, South America, Africa, and Asia.

    Recommendations

    1. Audit and restrict legitimate tools such as AteraAgent and Netbird; implement application allowlisting to prevent unauthorized installations.
    2. Deploy detections for VBS script execution from temporary directories, creation of suspicious local admin accounts, and Netbird service creation — using EDR/SIEM rules.
    3. Strengthen email gateway filtering to block VBS downloaders, ZIP archives, and malicious URLs before reaching the end user.
    4. Conduct executive-level phishing training, focusing on spear-phishing with recruiter/job lures.
    5. Block the IOCs at their respective controls
      https://www.virustotal.com/gui/collection/514a495e31bc35e8c5d9ae59c4cfe030669f0ed60242f6e33cb01c472e8ce3a4/iocs

    Source:

    • https://hunt.io/blog/apt-muddywater-deploys-multi-stage-phishing-to-target-cfos

    Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

    No related posts found.

    Ampcus Cyber
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

     Talk to an expert